Verification Of UID(0) Requirement For Started Tasks To Comply With GAO Audit Question And Top Secret
search cancel

Verification Of UID(0) Requirement For Started Tasks To Comply With GAO Audit Question And Top Secret

book

Article ID: 189516

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP WEB ADMINISTRATOR FOR TOP SECRET CA 7 Workload Automation

Issue/Introduction

Verification Of Mainframe Started tasks that require UID(0) zero

Start task DESCRIPTION

BBI PASS MANAGER

CA7

OMVS/CRON (task scheduler)

Kernal Daemon for FTP

Orcale10g MFRS DBASE SERVICES

Orcale10g MFRT DBASE SERVICES

Orcale10g MVRP DBASE SERVICES

z/OS TCP/IP STC

ORACLE10G SYT STC ACID

TCPIP POLICY AGENT

Mainview

NETMASTER Report Center

BATCH/DASD VOLUME CONFIG-DEFRAG

CA7 PROD CONTROL

SSH TECTIA SERVER

WILYZOS STC – CA CROSS Enterprise APM agent

ZFS ACID  (omvs zs file system manager)

Resolution

The requirement for UID(0) is not a Top Secret requirement. It is product specific. For the Broadcom products in the list:

CA7 
CA7 PROD CONTROL 
NETMASTER Report Center

** There isn't anything in the WORKLOAD AUTOMATION CA 7® EDITION 12.1 documentation where UID(0) is required. Here are the commands for Top Secret:

Workload Automation CA 7 Edition requires an ACID definition to execute under Top Secret security. This definition identifies WA CA 7 Edition as a started task, names the procedure from which WA CA 7 Edition executes, and associates the WA CA 7 Edition facility with the WA CA 7 Edition ACID.
This command has the following format:

TSS CREATE(acid) NAME('CA 7 ONLINE ACID') FAC(STC,BATCH) +
TYPE(USER) PASS(NOPW) DEPT(dept) MASTFAC(CA7)
TSS PERMIT(acid) ACID(acid1)

Where acid1 is one of the acids that you want to use for scheduled batch jobs through WA CA 7 Edition. Do this for each acid that is used for scheduled batch jobs through WA CA 7 Edition.

Though not recommended, if you want to allow the 'acid' acid to submit jobs under any ACID and not define each separately, add the NOSUBCHK attribute to the 'acid'.

The following command adds the WA CA 7 Edition ACID to the Top Secret Started Task facility and identifies the WA CA 7 Edition procedure name.

TSS ADDTO(STC) PROCNAME(ca7proc) ACID(acid)

Define ICOM to Top Secret
The Workload Automation CA 7 Edition Independent Communications Manager (ICOM) must also be defined to Top Secret. ICOM handles SMF data for jobs that are submitted through WA CA 7 Edition, and therefore requires an ACID to execute in a Top Secret secured environment. The following command example may be used to define ICOM to Top Secret.
This command has the following format:

TSS CREATE(acid2) NAME('CA 7 ICOM') FAC(STC) TYPE(USER) +
PASS(NOPW) DEPT(dept) MASTFAC(CA7)
TSS PERMIT(acid2) ACID(acid1)

The following command adds the ICOM ACID to the Top Secret Started Task Facility and identifies the ICOM procedure name.

TSS ADDTO(STC) PROCNAME(ca7icomproc) ACID(acid2)

Where acid1 is one of the acids that you want to use for scheduled batch jobs through CA 7 Edition. Do this for each acid that is used for scheduled batch jobs through CA 7 Edition.

Though not recommended, if you want to allow the 'acid2' acid to submit jobs under any ACID and not define each separately, add the NOSUBCHK attribute to the 'acid2'.

** The NETMASTER SHARED CONTENT LIBRARY 12.2 documentation gives the commands (TSS, ACF2, and RACF) to set up the OMVS segments for region STCs. The TSS command has UID(nnn), which indicates that 0 is not required.

** For the non Broadcom/CA products, check with the product vendor to see if their respective product requires UID(0) on the region acid.